Updates To Saudi Arabia's Personal Data Protection Regulations: SCCs, Guidelines And More

MB
Mayer Brown

Contributor

Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
As part of the latest developments regarding the personal data protection regulations in the Kingdom of Saudi Arabia ("KSA"), the Saudi Data...
Saudi Arabia Privacy

As part of the latest developments regarding the personal data protection regulations in the Kingdom of Saudi Arabia ("KSA"), the Saudi Data and Artificial Intelligence Authority ("SDAIA") issued the Regulation on Personal Data Transfer Outside the Kingdom (the "Data Transfer Regulations") on September 1, 2024, which amended the previously issued data transfer regulations under the Personal Data Protection Law issued by Royal Decree No. M/19 dated 9/2/1443H (as amended) (the "PDPL").  In addition, SDAIA issued standard contractual clauses for personal data transfers outside of the Kingdom.

DATA TRANSFER REGULATIONS

  1. The Data Transfer Regulations provide the definition of Appropriate Safeguards as follows: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate levels of protection when transferring personal data outside the Kingdom that meet at least the standards prescribed by the Law and Regulations.
  2. The Data Transfer Regulations provide parallel provisions in relation to adequate jurisdictions and purposes for transfer that were provided under the prior regulations.
  3. Article 4 of the Data Transfer Regulations provides that the controller must implement the following appropriate safeguards for the transfer of personal data:
    (a) Standard contractual clauses;
    (b) Binding common rules; and
    (c) Certificate of accreditation.
  4. Article 4 of the Data Transfer Regulations further provides that controllers relying on one of the three appropriate safeguards available will be exempt from the obligation to limit the data transferred to the minimum amount of personal data needed.
  5. The Data Transfer Regulations provide that a risk assessment must be conducted where a controller has implemented an appropriate safeguard or where sensitive data is being transferred to entities outside KSA on a continuous or widespread basis.  The scope of the risk assessment obligation has been reduced compared to the scope provided in the prior regulations.

STANDARD CONTRACTUAL CLAUSES

  1. The Data Transfer Regulations provide the definition of Standard Contractual Clauses as per the following: Mandatory provisions governing the transfer of personal data outside the Kingdom that ensure appropriate level of protection for such data not less than the standard prescribed by the Law and Regulations. These provisions are in accordance with a standard form issued by the competent authority.
  2. There are four published versions of the Standard Contractual Clauses (controller to processor, controller to controller, processor to controller and processor to processor).
  3. Any modification of the Standard Contractual Clauses will deem them invalid and the provisions of a contract must not conflict with the Standard Contractual Clauses.
  4. Standard Contractual Clauses can involve more than two parties, so controllers and additional processors can be bound by such clauses as personal data exporters or personal data importers, depending on the nature of their role throughout the duration of the relevant contract(s).
  5. Personal data may not be transferred under the Standard Contractual Clauses if the laws and regulations of the recipient country or international organization prevent the personal data importer from complying with the Standard Contractual Clauses.
  6. Standard Contractual Clauses require data importers (based outside of KSA) to comply with and enforce any binding decision under KSA laws and regulations which may impose a burden on international shareholders receiving personal data from KSA.

BINDING COMMON RULES

  1. The Data Transfer Regulations provide the definition of Binding Common Rules as follows: Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, that ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the PDPL and its regulations.
  2. Any group of entities, including the personal data importer, must cooperate with the competent authority (i.e., SDAIA), comply with all its requests and inquiries and provide the necessary documents and information to ensure adherence to the Binding Common Rules.
  3. The Binding Common Rules must include, as an example, the controller's obligations as set out under the PDPL, data subject rights and procedures for notifying SDAIA and data subjects where a data breach or similar incident has occurred. The Binding Common Rules guidelines also provide that a record of members under the Binding Common Rules and records of processors and sub-processors must be maintained.

In addition, SDAIA published several guidelines to provide additional input on the applicable framework and to help facilitate compliance with other key areas of the PDPL, such as data protection officer (DPO) appointments, privacy policy guidelines, personal data destruction, anonymization and pseudonymization guidelines and data disclosure cases guidelines.

We are keeping an eye on any further developments in relation to these developments.  Please do not hesitate to contact us if you have any questions or need assistance with your organization's compliance framework in light of these developments in Saudi Arabia.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More